This is not a security vulnerability, it’s been documented in the user interface for years. That’s why I have no profile picture and no status. You clearly opt into “everyone” viewing it, and it’s obvious this it is literally anyone, because when you add a new contact, you simply enter their phone number and can see their profile picture and status. It doesn’t take a leap of imagination to enumerate that for the space of valid phone numbers.

▲

porridgeraisin 3 hours ago | parent [-]

There is a way to show profile pictures to only contacts. It's a setting.

	▲	chatmasta 2 hours ago \| parent [-]
		Yes, and those people didn't get their profile pictures exposed through this phone number enumeration. If they had, then maybe it would have qualified as a security breach.